Analysis system, method, and program

ABSTRACT

An analysis unit  6  generates one or more pairs of a start point fact which is a fact representing possibility of the attack in a device that is a start point and an end point fact which is a fact representing possibility of the attack in the device that is an end point, analyzes, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generates an attack scenario in a case where it is possible to derive the end point fact from the start point fact.

TECHNICAL FIELD

The present invention relates to an analysis system, analysis method,and analysis program for analyzing attacks on systems to be diagnosed.

BACKGROUND ART

An information processing system that includes multiple computers isrequired to take security measures to protect information assets fromcyber attacks. Security measures include assessing vulnerability of thetarget system and removing vulnerability as necessary.

Patent literature 1 describes a system that generates a directed acyclicgraph representing a relationship between each device and vulnerabilityof each device as a devise risk assessment model.

CITATION LIST Patent Literatures

PTL 1: Japanese Patent Application Laid-Open No. 2017-224053

SUMMARY OF INVENTION Technical Problem

A system that is a target of security diagnosis is referred to as asystem to be diagnosed. It is preferable to be able to present theanalysis results for a system to be diagnosed to the securityadministrator so that an attack order, etc. can be easily understood.

Therefore, the purpose of the present invention is to provide ananalysis system, analysis method, and analysis program that can presentanalysis results for a system to be diagnosed so that an attack order,etc. can be easily understood.

Solution to Problem

An analysis system according to the present invention includes a factgeneration unit which generates a fact which is data representing asecurity situation of a system to be diagnosed, based on informationregarding each device included in the system to be diagnosed; and ananalysis unit which generates one or more pairs of a start point factwhich is a fact representing possibility of an attack in the device thatis a start point and an end point fact which is a fact representingpossibility of an attack in the device that is an end point, analyzes,for each pair, whether or not it is possible to derive the end pointfact from the start point fact, based on facts representing states ofthe devices generated based on information regarding the device that isthe start point and information regarding the device that is the endpoint, the start point fact, and one or more analysis rules foranalyzing the attack, and generates an attack scenario which isinformation that represents a transition relationship of a combinationof the device, an attack state, and privileges that can correspond tothe attack state according to the start point fact and the end pointfact, in a case where it is possible to derive the end point fact fromthe start point fact.

An analysis system according to the present invention includes an inputunit to which an attack graph regarding a system to be diagnosed isinput, and an analysis unit which searches for a pair of a combinationnode indicating a combination of a device, an attack state, andprivileges, and a combination node next to the combination node, andgenerates an attack scenario which is information that represents atransition relationship of a combination of the device, the attackstate, and the privileges that can correspond to the attack state, foreach pair of the combination nodes.

In an analysis method according to the present invention, one or morecomputers generate a fact which is data representing a securitysituation of a system to be diagnosed, based on information regardingeach device included in the system to be diagnosed; and generate one ormore pairs of a start point fact which is a fact representingpossibility of an attack in the device that is a start point and an endpoint fact which is a fact representing possibility of an attack in thedevice that is an end point, analyze, for each pair, whether or not itis possible to derive the end point fact from the start point fact,based on facts representing states of the devices generated based oninformation regarding the device that is the start point and informationregarding the device that is the end point, the start point fact, andone or more analysis rules for analyzing the attack, and generate anattack scenario which is information that represents a transitionrelationship of a combination of the device, an attack state, andprivileges that can correspond to the attack state according to thestart point fact and the end point fact, in a case where it is possibleto derive the end point fact from the start point fact.

In an analysis method according to the present invention, one or morecomputers receive an input of an attack graph regarding a system to bediagnosed, and search for a pair of a combination node indicating acombination of a device, an attack state, and privileges, and acombination node next to the combination node, and generate an attackscenario which is information that represents a transition relationshipof a combination of the device, the attack state, and the privilegesthat can correspond to the attack state, for each pair of thecombination nodes.

An analysis program according to the present invention causes a computerto execute: a fact generation process of generating a fact which is datarepresenting a security situation of a system to be diagnosed, based oninformation regarding each device included in the system to bediagnosed; and an analysis process of generating one or more pairs of astart point fact which is a fact representing possibility of an attackin the device that is a start point and an end point fact which is afact representing possibility of an attack in the device that is an endpoint, analyzing, for each pair, whether or not it is possible to derivethe end point fact from the start point fact, based on factsrepresenting states of the devices generated based on informationregarding the device that is the start point and information regardingthe device that is the end point, the start point fact, and one or moreanalysis rules for analyzing the attack, and generating an attackscenario which is information that represents a transition relationshipof a combination of the device, an attack state, and privileges that cancorrespond to the attack state according to the start point fact and theend point fact, in a case where it is possible to derive the end pointfact from the start point fact.

An analysis program according to the present invention causes a computerto execute: a receiving input process of receiving an input of an attackgraph regarding a system to be diagnosed, and an analysis process ofsearching for a pair of a combination node indicating a combination of adevice, an attack state, and privileges, and a combination node next tothe combination node, and generating an attack scenario which isinformation that represents a transition relationship of a combinationof the device, the attack state, and the privileges that can correspondto the attack state, for each pair of the combination nodes.

Advantageous Effects of Invention

According to the present invention, it is possible to present analysisresults for a system to be diagnosed so that an attack order, etc. canbe easily understood.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 It depicts a schematic diagram showing an example of a generalattack graph.

FIG. 2 It depicts a block diagram showing an example of an analysissystem of the first example embodiment of the present invention.

FIG. 3 It depicts a diagram showing an example of a generated fact.

FIG. 4 It depicts a diagram showing an example of an analysis rule.

FIG. 5 It depicts a schematic diagram showing an example of the displayof an attack scenario.

FIG. 6 It depicts a schematic diagram showing an example of the displayof an attack scenario.

FIG. 7 It depicts a flowchart showing an example of the processingprocess of an analysis system of the first example embodiment of thepresent invention.

FIG. 8 It depicts a flowchart showing an example of the processingprocess of an analysis system of the first example embodiment of thepresent invention.

FIG. 9 It depicts a block diagram showing an example of an analysissystem in a modification of the first example embodiment.

FIG. 10 It depicts a schematic diagram showing an example of the displayby superimposing an attack scenario on a network topology.

FIG. 11 It depicts a schematic diagram showing an example of the displayof a network topology.

FIG. 12 It depicts a schematic diagram showing an example of the displayof an attack scenario in the second example embodiment.

FIG. 13 It depicts a block diagram showing an example of an analysissystem of the third example embodiment of the present invention.

FIG. 14 It depicts a schematic diagram showing an example of an attackpattern.

FIG. 15 It depicts a schematic diagram showing an example of a patterntable.

FIG. 16 It depicts a schematic diagram showing that facts that are theend points derived from a fact that is the start point are identical,but the analysis rules used to derive the facts that are the end pointsare different.

FIG. 17 It depicts a diagram showing an example of an analysis rule.

FIG. 18 It depicts a diagram showing an example of an analysis rule.

FIG. 19 It depicts a schematic diagram showing an example of the displayof an attack scenario and an attack pattern.

FIG. 20 It depicts a block diagram showing an example of an analysissystem of the fourth example embodiment of the present invention.

FIG. 21 It depicts a schematic diagram showing an example of an attackgraph input to an input unit.

FIG. 22 It depicts a flowchart showing an example of the processingprocess of an analysis system of the fourth example embodiment of thepresent invention.

FIG. 23 It depicts a schematic diagram showing an example of an attackgraph and each analysis rule that is input to input unit.

FIG. 24 It depicts a schematic block diagram showing a configurationexample of a computer for an analysis system of each example embodimentof the present invention.

FIG. 25 It depicts a block diagram showing a summarized analysis systemof the present invention.

FIG. 26 It depicts a block diagram showing another example of asummarized analysis system of the present invention.

DESCRIPTION OF EMBODIMENTS

The analysis system described in each of the following exampleembodiments is a system for analyzing cyber attacks on the system to bediagnosed (assessed). As described above, a system to be diagnosed is asystem that is a target of security diagnosis. Examples of systems to bediagnosed include an information technology (IT) system in a company andso-called operational technology (OT) system for controlling a factory,a plant or the like. However, the systems to be diagnosed are notlimited to these systems. A system in which multiple devices areconnected through a communication network can be a system to bediagnosed.

Each device included in the system to be diagnosed is connected througha communication network. Examples of devices included in the system tobe diagnosed include personal computers, servers, switches, routers,machine tools installed in factories, and control devices for machinetools. However, the devices are not limited to the above examples. Thedevices may be physical devices or virtual devices.

A way to analyze attacks on the system to be diagnosed is to use anattack graph. An attack graph is a graph that can show the state of adevice, such as the presence or the absence of vulnerability, and arelationship between an attack that can be executed on one device and anattack that can be executed on other devices based on the attack thatcan be executed on the one device. An attack graph is represented as adirected graph where any state (device, network, vulnerability, securitysettings, etc.), that may relate to security, is defined as a fact, thestates are nodes, and the relationships between facts are edges.

Here, a fact is data that represents the security situation of thesystem to be diagnosed. As a more detailed example, a fact representssome state of the system to be diagnosed, or a device included in thesystem to be diagnosed, that may relate to security mainly. As anotherdetailed example, a fact represents an attack that may be performed oneach device included in the system to be diagnosed. In this case, thefact is expressed in the form of a combination of a device and an attackstate, or a combination of a device, an attack state and privileges, asdescribed below. In the analysis of attack, it is assumed that someattacks can be carried out on the devices included in the system to bediagnosed. Such an assumption may be treated as a fact.

The fact can be determined from information obtained from each deviceincluded in the system to be diagnosed. In addition, a rule for derivinga new fact from existing facts (hereinafter, referred to as an analysisrule) can be used to derive a new fact from one or more existing facts.For example, a new fact can be derived based on the facts determinedfrom information obtained from each device in the system to bediagnosed, using the analysis rule. Furthermore, another new fact can bederived based on the facts determined from information obtained fromeach device and a newly obtained fact. This process is repeated until nonew fact can be derived from the analysis rule. Then, an attack graphcan be generated by setting each fact to a node, connecting each nodecorresponding to a fact with an edge extending from a node correspondingto the fact that is the basis of a newly obtained fact to the nodecorresponding to the newly obtained fact.

FIG. 1 a schematic diagram showing an example of a general attack graphobtained in this way. In FIG. 1 , nodes represented by rectangleslabeled “FACT” represent the facts determined from information obtainedfrom each device. In FIG. 1 , nodes represented by circles and nodesrepresented by rectangles labeled “GOAL” represent facts that are newlyderived using the analysis rule. The “GOAL”s in FIG. 1 are a part of thenewly derived facts using the analysis rule, and represent the factsthat are end points of fact derivations using the analysis rule.

The following analysis system of each example embodiment below generatesan attack scenario which is information that represents a transitionrelationship of a combination of a device, an attack state, andprivileges that can correspond to the attack state.

The analysis system of each example embodiment of the inventiongenerates one or more pairs of a fact that is the start point and a factthat is the end point, and generates an attack scenario for each pair.Note that there may be some pairs for which no attack scenario isgenerated.

Hereinafter, example embodiments of the present invention will bedescribed with reference to the drawings.

Example Embodiment 1

FIG. 2 is a block diagram showing an example of the analysis system ofthe first example embodiment of the present invention. The analysissystem 1 of the first example embodiment comprises a data collectionunit 2, a data storage unit 3, a fact generation unit 4, an analysisrule storage unit 5, an analysis unit 6, an attack scenario storage unit19, a display control unit 8, and a display device 9.

The data collection unit 2 collects information regarding each deviceincluded in the system to be diagnosed.

The information regarding the device is information that can be relatedto security of the device. Examples of information regarding the devicethat the data collection unit 2 collects include an operating system(OS) installed on the device and its version information, hardwareconfiguration information installed on the device, software installed onthe device and its version information, information on the communicationdata exchanged between the device and other devices and thecommunication protocol used to exchange the communication data,information on the status of ports of the device (which ports are open)and so on, for example. The communication data includes information on asource and a destination of the communication data. The data collectionunit 2 collects the above information. However, examples of theinformation collected by the data collection unit 2 are not limited tothe above examples. The data collection unit 2 may also collect otherinformation that may be relevant to the security of the device asinformation regarding the device.

The data collection unit 2 may collect information regarding the devicesdirectly from each device included in the system to be diagnosed. Inthis case, the analysis system 1 is connected to each device through acommunication network, and the data collection unit 2 can collectinformation from each device through the communication network.

Alternatively, the data collection unit 2 may obtain informationregarding each device from an information collection server thatcollects information regarding each device. In this case, the analysissystem 1 is connected to the information collection server through acommunication network, and the data collection unit 2 can collectinformation regarding each device from the information collection serverthrough the communication network.

When each device has an agent, the data collection unit 2 may collectinformation regarding each device through the agent. In other words, thedata collection unit 2 may obtain information regarding each device fromthe information collection server that collects information regardingeach device through the agent.

Each agent installed in each device may transmit information regardingthe device to the information collection server, and the data collectionunit 2 may collect information regarding each device included in thesystem to be diagnosed from that information collection server. In thiscase, for example, the analysis system 1 is connected to the informationcollection server through a communication network, and the datacollection unit 2 may collect information regarding each device fromthat information collection server through the communication network.

When the data collection unit 2 collects information regarding eachdevice included in the system to be diagnosed, the data collection unit2 stores the information in the data storage unit 3.

The data storage unit 3 is a storage device that stores the informationregarding each device collected by the data collection unit 2.

The fact generation unit 4 generates one or more facts based on theinformation regarding each device collected by the data collection unit2. As already explained, the fact represents the security situation ofthe system to be diagnosed. The fact generated by the fact generationunit 4 represents some state mainly related to security of one or moredevices included in the system to be diagnosed, derived from thespecific information obtained from each device.

For example, the fact generation unit 4 generates one or more facts byreferring to the rule for generating facts that include one or moretemplates representing the facts to be generated, which have beenprepared in advance, and determining whether or not the informationregarding each device matches the respective template. Informationregarding each device is applied to the parameters of the generatedfacts as appropriate.

FIG. 3 shows an example of the facts that are generated. Although threefacts are shown in FIG. 3 , the facts are not limited to the three shownin FIG. 3 . The facts necessary for the processing in the analysis unit6 should be generated accordingly.

In FIG. 3 , the parameters shown in single quotation marks areindividual specific information regarding the devices in the system tobe diagnosed. For example, ‘Host A’ and ‘Host B’ in the example shown inFIG. 3 are specific device IDs. The device ID is information thatidentifies each of the devices included in the diagnostic target. Theparameter ‘software 1’ in the example shown in FIG. 3 is the specificsoftware name installed in the device, and ‘CVE-2018-000x’ is theidentification information of the specific vulnerability associated withthe software. In this case, an identification information such as thecommon vulnerability identifier CVE (Common Vulnerabilities andExposures) numbered by a security-related organization may be used asthe identification information. The fact parameter may also include aparameter that represents a wildcard.

The fact shown as Example 1 in FIG. 3 represents the matter “HTTP(HyperText Transfer Protocol) communication from a device ‘Host A’ to adevice ‘Host B’ is possible using TCP (Transmission Control Protocol)port 80.”

The fact shown as Example 2 in FIG. 3 represents the matter “‘software1’ on the device ‘Host B’ has vulnerability ‘CVE-2018-000x’, and theadministrative privileges can be obtained by attacking the vulnerabilityfrom a remote location.”

The fact shown as Example 3 in FIG. 3 represents the matter “theattacker has administrative privileges in device ‘Host A’.”

The description format of the fact is not limited to the example shownin FIG. 3 , but can be in other formats as long as the processing in theanalysis unit 6 can be performed.

The analysis rule storage unit 5 is a storage device that storesanalysis rules. An analysis rule is a rule for deriving a new fact froman existing fact. The fact derived using the analysis rule is mainly afact that represents an attack that can be performed on each deviceincluded in the system to be diagnosed. The analysis rule storage unit 5stores one or more analysis rules according to the system to bediagnosed.

FIG. 4 shows an example of an analysis rule. The analysis rule includesat least an element that represents the new fact to be derived and anelement that corresponds to the condition. In other words, the analysisrule indicates that a new fact will be derived if there is a fact thatmatches the condition. In the example shown in FIG. 4 , the element inthe first line is the element that represents the new fact to bederived. In addition, each element from the second line to the fourthline is an element that corresponds to a condition. In the analysis ruleshown in FIG. 4 , the new fact represented in the first line is derivedwhen there is a fact that matches all three conditions. The analysisrule may also include an element representing a label that is uniquelydefined for that analysis rule. In the example shown in FIG. 4 , theelement in line 5 is the element that represents the label uniquelydefined for the analysis rule. The element in the fifth line representsthat the label of the analysis rule shown in FIG. 4 is “exec01”.

In FIG. 4 , the parameters enclosed in single quotation marks areindividual specific information regarding the device in the system to bediagnosed. For example, ‘software 1’ in the third line of the conditionis the name of the specific software installed in the device. In otherwords, the condition in the third line is a condition related to thesoftware called ‘software 1’ installed in the device. In a fact to matcha condition that includes such an individual specific parameter,information corresponding to the parameter should be included. In otherwords, the fact that matches the condition in line 3 is a fact that isassociated with the software named ‘software 1’ installed on the device.

The analysis rules shown in FIG. 4 may also include fixed values, unlikethe variables described below. For example, “attacker,” “administrativeprivileges,” “http,” 80“,” “remote,” “privileges escalation,” and“administrator” shown in FIG. 4 are fixed values. For a fact to match acondition that includes a fixed value as a parameter, informationcorresponding to that fixed value should be included in the premisingfact.

In FIG. 4 , parameters that begin with a capital letter are variables.The variable parameters mean that they may be changeable depending onthe fact to be matched. In the example shown in FIG. 4 , “SrcHost” and“DstHost” are variables. Various information included in the informationcollected from the device is assigned to the parameters as variables.

In a single analysis rule, variables described by the same parameter areassigned to a common value. For example, a common concrete device ID isassigned to the variable “SrcHost” described in the second and fourthlines of FIG. 4 . Similarly, a common concrete device ID is assigned tothe variable “DstHost” described in the second and third lines of FIG. 4.

In the example shown in FIG. 4 , the “CVEID” in the third linerepresents a wildcard for the vulnerability identification information.In this way, a parameter representing the wildcard may be included inthe analysis rule. If a fact is true regardless of the informationregarding the device, at least part of the fact may include a parameterrepresenting a wildcard. A parameter representing a wildcard indicatesthat the information that can be anything is assigned to the parameter.

In the analysis rule shown in FIG. 4 , the same information regardingthe device is assigned to the same variables included in the conditions.In other words, in the analysis rule shown in FIG. 4 , the sameinformation regarding the device is assigned for each of the “SrcHost”and “DstHost” parameters. In the example shown in FIG. 4 , if theinformation regarding the device is assigned to the variables asdescribed above, and when there are facts that matches each of theconditions, a new fact represented in the first line is derived. The newfact represented in the first row is the fact that the informationregarding the device is assigned to the variable.

The description format of the analysis rules is not limited to theexample shown in FIG. 4 .

The analysis unit 6 generates an attack scenario for a pair which ispossible to derive a fact that is the end point from a fact that is thestart point among one or more pairs of a fact that is the start pointand a fact that is the end point. An attack scenario is information thatrepresents a transition relationship of a combination of a device, anattack state, and privileges that can correspond to the attack state. Asan example, the analysis unit 6 analyzes whether or not it is possibleto derive a fact that is the end point from a fact that is the startpoint. When the fact that is the end point can be derived from the factthat is the start point, the analysis unit 6 generates an attackscenario. The analysis unit 6 analyzes whether or not it is possible toderive the fact that is the end point from the fact that is the startpoint using the fact generated from the information regarding the devicethat is the start point and the device that is the end point, the factthat is the start point, and the analysis rule stored in the analysisrule storage unit 5. In this analysis, the analysis unit 6 does not usefacts generated from information regarding devices that do notcorrespond to either the device that is the start point or the devicethat is the end point. When it is possible to derive a fact that is theend point from a fact that is the start point, the analysis unit 6generates an attack scenario.

The fact that is the start point may be referred to simply as a startpoint fact. Similarly, the fact that is the end point may be referred tosimply as an end point fact.

Each of the fact that is the start point and the fact that is the endpoint is usually a fact (a fact that represents the possibility of anattack) that represents an attack that can be performed on each devicein the system to be diagnosed. In other words, the ability to derive afact that is the end point from a fact that is the start point indicatesthat if some attack is possible on the device that is the start point,another attack is possible on the device that is the end point. Theinability to derive the fact that is the end point from the fact that isthe start point indicates that even if some attack is possible on thedevice that is the start point, another attack represented by the factthat is the end point cannot be executed on the device fact that is theend point.

An example of an operation to analyze whether or not it is possible toderive a fact that is the end point from a fact that is the start pointwill be described.

The analysis unit 6 generates one or more pairs of a fact that is thestart point of an attack graph and a fact that is the end point of theattack graph. The fact that is the start point and the fact that is theend point are facts that represent attacks that can take place on thedevice that is the start point and the device that is the end point,respectively.

The analysis unit 6 analyzes whether or not it is possible to derive thefact that is the end point from the fact that is the start point, basedon the fact generated from the information regarding the device that isthe start point and the device that is the end point, the fact that isthe start point, and the analysis rule stored in the analysis rulestorage unit 5, for each pair of the fact that is the start point of theattack graph and the fact that is the end point of the attack graph. Inthis analysis, the analysis unit 6 does not use facts generated frominformation regarding devices that do not correspond to either thedevice that is the start point or the device that is the end point.

The fact that is the start point of the attack graph and the fact thatis the end point of the attack graph will be described.

There are multiple types of attacks, and the attacks that a device maybe subjected to vary depending on the vulnerability the which devicehas. Therefore, in the example embodiments of the present invention, thestate of a device that may be attacked by vulnerability is defined asthe attack state. For example, as the attack state, “a state in whichcode can be executed (hereinafter, referred to as “arbitrary codeexecution”)”, “a state in which data can be tampered with (hereinafter,referred to as “data tampering”), “a state in which files can beaccessed (hereinafter, referred to as “file accessible”)”, “a state inwhich account information has held (hereinafter, referred to as “accountholding”)”, “a state in which a DoS (Denial of Service) attack can becarried out (hereinafter, referred to as “dos”)”, etc. are given. In thepresent example embodiment, there are five attack states “arbitrary codeexecution”, “data tampering”, “file accessible”, “account holding”, and“dos” as an example. However, the attack states are not limited to theabove five types. Other types of attack states may be given depending onthe attacks that may occur in the system to be diagnosed. An attackstate that includes multiple attack states may also be defined. Forexample, an attack state called “all” may be defined as a state thatincludes all of the attack states “arbitrary code execution”, “datatampering”, “file accessible”, and “account holding”.

The analysis unit 6 generates a combination of one of the device IDs ofdevices included in the system to be diagnosed, one of the multiplepredetermined attack states, and one of the privileges that cancorrespond to the attack states as the fact that is the start point ofthe attack graph.

Similarly, the analysis unit 6 generates a combination of one of thedevice IDs of devices included in the system to be diagnosed, one of themultiple predetermined attack states, and one of the privileges that cancorrespond to the attack states as the fact that is the end point of theattack graph.

Here, “privileges” includes privileges when the attack indicated by theattack state is performed. In this case, the privilege is, for example,either administrative privileges or general privileges. In addition,“privileges” may include the matter that privilege is not relevant whenthe attack indicated by the attack state is performed (hereinafter,referred to as “no relevant privileges”). Therefore, the predeterminedmultiple types of privileges are, as an example, “administrativeprivileges”, “general privileges”, and “no relevant privileges”.

The combination of attack state and privileges can be determinedaccording to the specific content of the attack state. For example, eachof the attacks indicated by “arbitrary code execution,” “datatampering,” “file accessible,” and “account holding” can be performedunder some privileges, such as administrative or general privileges.Therefore, for each attack state of “arbitrary code execution,” “datatampering,” “file accessibility,” and “account holding” appropriateprivileges such as “administrative privileges” or “general privileges”can be combined, depending on the specifics of each attack state. A DoSattack is not related to administrative privileges, general privileges,or other privileges. Therefore, the attack condition “dos” will becombined with “no relevant privileges”.

Under such a combination of attack state and privileges, the analysisunit 6 generates a combination of a device corresponding to one of thedevices included in the system to be diagnosed, one of the multipletypes of attack states, and one of the privileges that can correspond tothe attack state, as the fact that is the start point of the attackgraph under such a combination of attack states and privileges.Similarly, the analysis unit 6 generates a combination of a devicecorresponding to one of the devices included in the system to bediagnosed, one of the multiple types of attack states, and one of themultiple types of privileges that can correspond to the attack state, asa fact that is the end point of the attack graph under such acombination of attack states and privileges.

In this way, the combination of “device, attack state, and privileges”is treated as a fact that is the start point of the attack graph or afact that is the end point of the attack graph. The device included in afact is represented by a device ID, for example. In other words, each ofa fact that is the start point and a fact that is the end point is afact that indicates possibility under the attack represented by theattack state in the device represented by the device ID.

Furthermore, the analysis unit 6 determines a pair of a fact (acombination of “device, attack state, and privileges”) that is the startpoint of the attack graph and a fact (a combination of “device, attackstate, and privileges”) that is the end point of the attack graph. Inthis case, the analysis unit 6 may exhaustively determine all pairs offacts that are the start points and facts that are the end points in thesystem to be diagnosed, or some of all pairs. In the case of definingsome of all pairs, the analysis unit 6 may determine a pair of the factthat is the start point and the fact that is the end point based on someof the devices included in the system to be diagnosed, such as devicesincluded in a specific subnet in the system to be diagnosed. That is,when the analysis unit 6 generates the fact that is the start point andthe fact that is the end point based on some of the devices included inthe system to be diagnosed, the analysis unit 6 may regard the devicesincluded in the same subnet of the system to be diagnosed as some of thedevices. The analysis unit 6 may also determine the pair of the factthat is the start point and the fact that is the end point by excludingpairs of devices that need to go through other devices forcommunication, i.e., pairs of devices that cannot communicate directly.In other words, when the analysis unit 6 generates the fact that is thestart point and the fact that is the end point based on some of thedevices included in the system to be diagnosed, the analysis unit 6 mayregard the devices that can communicate directly as some of the devices.

In this case, the analysis unit 6 may determine combinations of thedevices that are the start points and the devices that are the endpoints, and under each combination of devices, determine the fact (acombination of “device, attack state, and privileges”) that is the startpoint and the fact (a combination of “device, attack state, andprivileges”) that is the end point.

The device included in the fact that is the start point and the deviceincluded in the fact that is the end point may be the same device. Inthis case, the analysis unit 6 can also analyze whether it is possibleto reach from one attack state of a device to another attack state, inother words, if a certain attack is possible on a device, whetheranother attack is possible on the device.

After defining one or more pairs of the fact that is the start point andthe fact that is the end point as described above, the analysis unit 6analyzes, for each pair, whether or not it is possible to derive thefact that is the end point from the fact that is the start point, basedon the fact representing the state of each device generated from theinformation regarding the device that is the start point and theinformation regarding the device that is the end point, the fact that isthe start point, and one or more predetermined analysis rules. In thiscase, the analysis unit 6 can apply an inference algorithm based on theanalysis rule stored in the analysis rule storage unit 5, for example.The device that is the start point is a device indicated by the deviceID included in the fact that is the start point, and the device that isthe end point is a device indicated by the device ID included in thefact that is the end point. Accordingly, for example, when the device IDin the fact that is the start point is ‘Host A’ and the device ID in thefact that is the end point is ‘Host B’, the analysis unit 6 analyzeswhether or not it is possible to derive the fact that is the end pointbased on facts representing states of ‘Host A’ and ‘Host B’ generatedfrom information regarding device ‘Host A’ and information regardingdevice ‘Host B’. Therefore, the analysis unit 6 can analyze whether ornot it is possible to derive a fact that is the end point from a factthat is the start point for the focused pair, without deriving factsrelated to devices other than the device that is the start point and thedevice that is the end point or deriving the same facts repeatedly. Inother words, by restricting facts to be referenced as described above,the analysis unit 6 can analyze whether or not it is possible to derivea fact that is the end point from a fact that is the start point withoutderiving redundant facts.

At the time of starting the analysis of whether or not it is possible toderive a fact that is the end point by focusing on a single pair, theanalysis unit 6 regards a fact generated from the information regardingthe device that is the start point and the information regarding thedevice that is the end point, and the fact that is the start point asthe existing facts. The analysis unit 6 does not include facts generatedby the fact generation unit 4 from information regarding devices otherthan the device that is the start point and device that is the end pointto the existing facts. The analysis unit 6 determines whether or not afact that matches the condition of the analysis rule is included in theexisting facts. Then, the analysis unit 6 derives a new fact based onthe analysis rules when the respective facts that match the respectiveconditions included in the analysis rule exist in the existing facts.The analysis unit 6 adds the derived new fact to the existing facts. Theanalysis unit 6 repeats this operation. The analysis unit 6 determinesthat it is possible to derive a fact that is the end point from a factthat is the start point when the derived new fact matches the fact thatis the end point in the focused pair.

Hereinafter, a more detailed explanation of an example of the operationof the analysis unit 6 to derive new facts will be described, referringto the analysis rule illustrated in FIG. 4 as an example. The analysisunit 6 determines whether or not there is a fact that matches thecondition by contrasting each of the conditions included in the analysisrule with each of the existing facts obtained at that point in time. Forthe fixed value parameters among the conditions included in the analysisrule, the analysis unit 6 determines whether or not a fact matching thecondition exists in the existing facts by determining whether or not thefixed value parameter included in the condition matches thecorresponding fixed value in the existing facts. For the parameters ofthe variables, the analysis unit 6 assigns the value included in theexisting fact to the condition as it is. Then, the analysis unit 6derives a new fact if the fact that matches the condition is included inthe existing facts.

For example, assume that the existing facts include the three factsillustrated in FIG. 3 . Then, assume that the analysis unit 6 derives anew fact using the analysis rule illustrated in FIG. 4 . In this case,the fixed value parameters included in each condition of the analysisrule shown in FIG. 4 match the fixed value parameters included in thefact shown in FIG. 3 . Therefore, in this case, the analysis unit 6assign ‘Host B’ to the variable ‘DstHost’ in the first line shown inFIG. 4 to derive “arbitrary code execution (attacker, ‘Host B’,administrative privileges)” as a new fact. Then, the analysis unit 6adds the new fact to the existing facts. This new fact represents thematter “The attacker is able to execute code on device ‘Host B’ withadministrative privileges”. In other words, from the three factsillustrated in FIG. 3 , the matter “The attacker is able to execute codeon device ‘Host B’ with administrative privileges” is derived.

When the conditions included in the analysis rule do not match theexisting facts, the analysis unit 6 will not derive a new fact based onthe analysis rule. This means that the fact represented by the analysisrule will not be derived when the existing fact is premised.

The analysis unit 6 performs the same process for each analysis rule.

The analysis unit 6 repeats derivation of new facts until a new factcorresponds to the fact that is the end point in the pair that is beingfocused on. If the fact that is the end point in the focused pair is notobtained even after repeating the derivation of new facts until no newfact can be derived, the analysis unit 6 determines that the fact thatis the end point cannot be derived from the fact that is the start pointfor the focused pair. This corresponds to the matter where no attackoccurs on the device that is the end point due to the attack state onthe device that is the start point.

The analysis unit 6 may use other methods to analyze whether it ispossible to derive the fact that is the end point from the fact that isthe start point. In this case, when the analysis unit 6 is able todetermine that the fact that is the end point cannot be derived from thefact that is the start point, the analysis unit 6 may terminate theanalysis for the pair.

When the analysis unit 6 determines that it is possible to derive a factthat is the end point from the fact that is the start point, theanalysis unit 6 generates an attack scenario for the pair of facts. Inthis case, the analysis unit 6 generates an attack scenario according tothe fact that is the start point and the fact that is the end point.More specifically, for each pair (a pair of the fact that is the startpoint and the fact that is the end point) determined that it is possibleto derive a fact that is the end point from the fact that is the startpoint, the analysis unit 6 generates information that indicates atransition from the “combination of a device, an attack state, andprivileges” corresponding to a fact that is the start point, to the“combination of a device, an attack state, and privileges” correspondingto a fact that is the end point, as an attack scenario.

The analysis unit 6 stores the generated attack scenario in the attackscenario storage unit 19. The attack scenario storage unit 19 is astorage device that stores the attack scenarios.

The display control unit 8 displays each attack scenario generated bythe analysis unit 6 on the display device 9. The display control unit 8may read each attack scenario from the attack scenario storage unit 19and display each attack scenario on the display device 9.

The display device 9 is a device that displays information, and can be ageneral display device. When the analysis system 1 exists in the cloud,the display device 9 may be a display device of a terminal connected tothe cloud.

An example of an operation in which the display control unit 8 displaysan attack scenario will be described. As described above, for each pair(a pair of the fact that is the start point and the fact that is the endpoint) determined that it is possible to derive the fact that is the endpoint from the fact that is the start point, the analysis unit 6generates information that indicates a transition from the “combinationof a device, an attack state, and privileges” corresponding to a factthat is the start point, to the “combination of a device, an attackstate, and privileges” corresponding to a fact that is the end point, asan attack scenario.

When displaying each attack scenario, the display control unit 8displays a second icon representing privileges in a first iconrepresenting a device, and displays a third icon representing an attackstate in the second icon, for a fact that is the start point. Similarly,the display control unit 8 also displays a second icon representingprivileges in a first icon representing a device, and displays a thirdicon representing an attack state in the second icon, for a fact that isthe end point. The display control unit 8 then displays an edgeextending from the third icon corresponding to a fact that is the startpoint to the third icon corresponding to a fact that is the end point.

However, when the device in a fact that is the start point and thedevice in a fact that is the end point are common, the first icon iscommon. Similarly, when the device and privileges in a fact that is thestart point and the device and privileges in a fact that is the endpoint are common, the first icon is common and the second icon is alsocommon.

In a predetermined case, the display control unit 8 omits displaying thesecond icon and displays the third icon in the first icon. The abovepredetermined case is the case where the privilege is “no relevantprivileges” in the present example embodiment. In the present exampleembodiment, “no relevant privileges” corresponds to the attack state of“dos”. Therefore, the third icon representing “dos” is displayed withoutthe second icon.

FIG. 5 is a schematic diagram showing an example of the display of anattack scenario as described above. FIG. 5 shows an example of thedisplay of multiple attack scenarios in two devices A and B. In thisexample, as shown in FIG. 5 , the display control unit 8 displays twofirst icons 41 representing devices A and B. Then, the display controlunit 8 displays second icons 42 representing general privileges andadministrative privileges in the first icon 41. Furthermore, the displaycontrol unit 8 displays third icons 43 representing various attackstates such as “arbitrary code execution” in the second icon 42.However, as described above, when the privilege is “no relevantprivileges”, the display control unit 8 omits displaying the second icon42. Therefore, the display control unit 8 displays the third icon 43representing “dos” in the first icon 41 without the second icon 42. Inaddition, the display control unit 8 displays an edge extending from thethird icon 43 corresponding to a fact that is the start point to thethird icon 43 corresponding to a fact that is the end point.Hereinafter, in order to make the description easier to understand, thesign of each icon on the device A side will be described by adding asubscript “a”, and the sign of each icon on the device B side will bedescribed by adding a subscript “b”.

For example, in the example shown in FIG. 5 , in the first icon 41 arepresenting the device A, the second icon 42 a representing generalprivileges is displayed, and furthermore, in the second icon 42 a, thethird icon 43 a representing “arbitrary code execution” is displayed.

Similarly, in the first icon 41 b representing the device B, the secondicon 42 b representing administrative privileges is displayed, andfurthermore, in the second icon 42 b, the third icon 43 b representing“arbitrary code execution” is displayed. And an edge extending from theabove third icon 43 a to the third icon 43 b is displayed. Thisrepresents an attack scenario of transition from the combination “thedevice A, arbitrary code execution, general privileges” (fact) to thecombination “the device B, arbitrary code execution, administrativeprivileges” (fact).

For example, in the example shown in FIG. 5 , in the first icon 41 arepresenting the device A, the second icon 42 a representing generalprivileges is displayed, and furthermore, in the second icon 42 a, thethird icon 43 a representing “file accessible” is displayed. Also, inthe second icon 42 a, another third icon 43 a representing “arbitrarycode execution” is displayed. And, an edge extending from the third icon43 a representing “file accessible” to another third icon 43 arepresenting “arbitrary code execution” is displayed. This represents anattack scenario of transition from the combination (fact) “the device A,file accessible, general privileges” to the combination (fact) “thedevice A, arbitrary code execution, general privileges”. In this attackscenario, the device in the fact that is the start point and the devicein the fact that is the end point are common as “the device A”. Inaddition, the privileges in the fact that is the start point and theprivileges in the fact that is the end point are common as “generalprivileges”. Therefore, in this example, the second icon 42 a and thefirst icon 41 a including the third icon 43 a representing “fileaccessible” are common with the second icon 42 a and the first icon 41 aincluding the third icon 43 a representing “arbitrary code execution”.

In addition, assume that an end point in a certain combination of a factthat is a start point and a fact that is an end point (referred to ascombination P) matches a start point in another combination of a factthat is a start point and a fact that is an end point (referred to ascombination Q). In this case, the display control unit 8 displays boththe edge reaching the third icon 43 corresponding to the end point inthe combination P and the start point in the combination Q (both match),and the edge extending from the third icon 43. For example, in theexample shown in FIG. 5 , focusing on the third icon 43 b representing“account holding” displayed in the icon 41 b representing the device B,both the edge reaching the third icon 43 b representing “accountholding” and the edge extending from the third icon 43 b are displayed.

In the example shown in FIG. 5 , an example of the display of multipleattack scenarios in two devices A and B is shown. The display controlunit 8 may display multiple attack scenarios in three or more devices.FIG. 6 is a schematic diagram showing an example of the display ofmultiple attack scenarios in three devices A, B, and C. In FIG. 6 , thesubscript “c” is added to the sing of each icon on the device C side.

In the example shown in FIG. 6 , it can be seen that there are a paththat directly transitions from a combination of “the device A, arbitrarycode execution, general privileges” to a combination of “the device C,arbitrary code execution, administrative privileges”, and a path thattransitions from a combination of “the device A, arbitrary codeexecution, general privileges” through a combination of “the device B,arbitrary code execution, administrative privileges” to a combination of“the device C, arbitrary code execution, administrative privileges”.Thus, when transitioning from one combination to another, there may be adirect transition path and a path that transitions through one or moreother devices (the device B in the above example), respectively.

The method of displaying the attack scenarios is not limited to theexamples shown in FIGS. 5 and 6 , and the display control unit 8 maydisplay each attack scenario by a method different from the methoddescribed above.

The data collection unit 2 is realized by a CPU (Central ProcessingUnit) of a computer that operates according to an analysis program and acommunication interface of the computer, for example. For example, theCPU can read the analysis program from a program storage medium such asa program storage device, etc. of the computer, and operate as the datacollection unit 2 according to the analysis program and using thecommunication interface. In addition, the fact generation unit 4, theanalysis unit 6 and the display control unit 8 can be realized by theCPU of the computer operating according to the analysis program, forexample. For example, the CPU reads the analysis program from theprogram recording medium as described above, and operates as the factgeneration unit 4, the analysis unit 6 and the display control unit 8according to the analysis program. For example, the data storage unit 3,the analysis rule storage unit 5 and the attack scenario storage unit 19are realized by the storage device provided by the computer.

Next, the processing process will be described. FIGS. 7 and 8 areflowcharts showing an example of the processing process of the analysissystem of the first example embodiment of the present invention. Thematters already explained are omitted.

First, the data collection unit 2 collects information regarding eachdevice included in the system to be diagnosed (step S1). The datacollection unit 2 stores the collected data in the data storage unit 3.

Next, the fact generation unit 4 generates one or more facts based onthe information regarding each device (step S2).

Next, the analysis unit 6 generates a combination of one of the devices,one of the multiple types of attack states, and one of the privilegesthat can correspond to the attack state as the fact that is the startpoint of the attack graph. Similarly, the analysis unit 6 generates acombination of one of the devices, one of the multiple types of attackstates, and one of the privileges that can correspond to the attackstate as a fact that is the end point of the attack graph (step S3).

Next, the analysis unit 6 generates one or more pairs of a fact that isthe start point of the attack graph and a fact that is the end point ofthe attack graph (step S4).

Next, the analysis unit 6 determines whether all the pairs generated instep S4 have already been selected in step S6 (step S5). When there areunselected pairs (No in step S5), the process moves to step S6. When theprocess first moves to step S5 from step S4, not a pair has beenselected. Therefore, in this case, the process moves to step S6.

In step S6, the analysis unit 6 selects one of the pairs generated instep S4 that has not yet been selected.

Following step S6, the analysis unit 6 sifts through the facts (step S6a). In step S6 a, the analysis unit 6 selects facts to be used in theanalysis of step S7, and does not select facts that are not used in theanalysis of step S7. Specifically, the analysis unit 6 selects the factgenerated from the information regarding the device that is the startpoint and the information regarding the device that is the end point,and the fact that is the start point. The analysis unit 6 does notselect a fact generated based on information regarding a device thatdoes not correspond to either the device that is the start point or thedevice that is the end point. The fact generated based on informationregarding a device that does not correspond to either the device that isthe start point or the device that is the end point is not used in theanalysis of step S7.

After step S6 a, the analysis unit 6 analyzes whether or not it ispossible to derive the fact that is the end point from the fact that isthe start point for the selected pair (step S7). At the start of stepS7, the analysis unit 6 regards a fact generated from the informationregarding the device that is the start point and the informationregarding the device that is the end point, and the fact that is thestart point (i.e., the fact selected in step S6 a) as the existing facts(facts for reference). Then, when the analysis unit 6 derives a new factbased on the analysis rule, the analysis unit 6 adds the new fact to theabove existing facts (facts for reference). The analysis unit 6 analyzeswhether or not it is possible to derive the fact that is the end pointby repeating the derivation of a new fact based on the existing facts(facts for reference) and the analysis rule. When the fact that is theend point in the selected pair cannot be obtained even after repeatingthe derivation of a new fact until no new facts can be derived, theanalysis unit 6 determines that the fact that is the end point cannot bederived from the fact that is the start point.

When the fact that is the end point cannot be derived from the fact thatis the start point (No of step S8), the analysis unit 6 repeats theprocess from step S5.

When the fact that is the end point can be derived from the fact that isthe start point (Yes of step S8), the analysis unit 6 generates anattack scenario in the selected pair, and stores the attack scenario inthe attack scenario storage unit 19 (step S9). In step S9, the analysisunit 6 generates information that indicates a transition from the“combination of a device, an attack state, and privileges” correspondingto a fact that is the start point, to the “combination of a device, anattack state, and privileges” corresponding to a fact that is the endpoint, as an attack scenario, for the selected pair. The analysis unit 6then stores the attack scenario in the attack scenario storage unit 19.

After step S9, the analysis unit 6 repeats the process from step S5.

When the analysis unit 6 determines that all the pairs generated in stepS4 have already been selected in step S6 (Yes of step S5), the displaycontrol unit 8 reads each attack scenario stored in the attack scenariostorage unit 19 and displays each attack scenario on the display device9 (step S10, refer to FIG. 8 ). For example, the display control unit 8may display each attack scenario on the display device 9 in the modeillustrated in FIGS. 5 and 6 . However, the display mode of the attackscenario is not limited to the mode illustrated in FIGS. 5 and 6 .

According to the present example embodiment, an attack scenario thatindicates a transition from a “combination of a device, an attack state,and privileges” to another “combination of a device, an attack state,and privileges” is generated. Thus, it is possible to present such anattack scenario to the security administrator (hereinafter, referred toas “administrator”). Therefore, it is possible to present the analysisresults for a system to be diagnosed so that an attack order, etc. canbe easily understood.

In the above example embodiment, the case where the analysis system 1performs a loop process starting from step S5 was explained as anexample. The analysis system 1 may realize parallel processing from stepS6 for each pair generated in step S4.

Next, a modification of the first example embodiment is described. Inthe present modification, the analysis system 1 displays the attackscenario superimposed on a network topology of devices included in thesystem to be diagnosed. The modification of displaying the attackscenario superimposed on the network topology of the devices included inthe system to be diagnosed can also be applied to the second exampleembodiment and third example embodiment described below.

FIG. 9 is a block diagram showing an example of an analysis system inthe modification of the first example embodiment. Elements similar tothose shown in FIG. 2 are added to the same signs as in FIG. 2 and thedescription is omitted. The analysis system 1 of the presentmodification comprises a topology identification unit 13 in addition toeach element shown in FIG. 2 .

The topology identification unit 14 identifies the network topology ofeach device included in the system to be diagnosed. Specifically, thetopology identification unit 14 may identify the network topology ofeach device based on a configuration of the network topology given bythe administrator, or may identify the network topology of each devicebased on the information regarding each device stored in the datastorage unit 3. Hereinafter, in the network topology, a noderepresenting a device is referred to as a device node.

The topology identification unit 14 is realized, for example, by the CPUof the computer that operates according to the analysis program. Forexample, the CPU can read the analysis program from the programrecording medium and operate as the topology identification unit 14according to the program.

The display control unit 8 displays on the display device 9 bysuperimposing the attack scenario on the network topology identified bythe topology identification unit 14. FIG. 10 is a schematic diagramshowing an example of the display by superimposing an attack scenario ona network topology. In FIG. 10 , in order to simplify the drawing, thenumber of the second icon 42 and the third icon 43 is shown in a smallnumber.

The display control unit 8 displays the network topology. FIG. 10 showsa case where a network topology including an office PC 51, a file server52, an administrative PC 53, an in-house Web server 54, and a dataserver 55 included in the system to be diagnosed as device nodes isdisplayed. It is preferable that the display control unit 8 displayseach device node in the network topology with an icon having a shapecorresponding to the type of device represented by the device node,respectively.

In addition, the display control unit 8 displays, for example, the firsticon 41 including the second icon 42 and the third icon 43 in thevicinity of the device node. The display control unit 8 then displaysthe edge representing the attack scenario by superimposing it on theedge connecting the device nodes in the network topology (refer to FIG.10 ).

In the example shown in FIG. 10 , an attack scenario indicating atransition from the combination of “the data server 55, arbitrary codeexecution, and general privileges” to the combination of “the in-houseWeb server 54, arbitrary code execution, general privileges” and anattack scenario indicating a transition from the combination of “thedata server 55, account holding, and administrative privileges” to thecombination of “the administrative PC 53, arbitrary code execution, andadministrative privileges” are displayed. In FIG. 10 , in order tosimplify the drawing, the case where the above two attack scenarios aredisplayed is illustrated, but the displayed attack scenarios are notlimited to the above two attack scenarios. When there is an edge thatfits inside the first icon 41 or an edge that fits inside the secondicon 42 based on the attack scenarios, the display control unit 8 maydisplay the attack scenarios by displaying those edges as well.

According to the present modification, since not only the attackscenario but also the network topology is displayed, the administratorcan more easily understand the attack order, etc.

Example Embodiment 2

Since an example of the analysis system 1 of the second exampleembodiment of the present invention can be represented as shown in FIG.9 , the second example embodiment will be described with reference toFIG. 9 . The matters described in the first example embodiment and themodification are omitted from the description.

In the second example embodiment, the display control unit 8 receivesthe designation of a first device and a second device from the outside.Hereinafter, the case where the display control unit 8 receives thedesignation of the first device and the second device from theadministrator will be described as an example.

When the first device and second device are designated by theadministrator, the display control unit 8 displays the attack scenariofrom the first device to the second device.

In this example, the display control unit 8 displays the networktopology identified by the topology identification unit 14 (refer toFIG. 9 ) on the display device 9, and receives the designation of thefirst device and the second device, for example, by a click operation onthe device node by the administrator.

The operation until each attack scenario is stored in the attackscenario storage unit 19 is the same as the first example embodiment.

Before displaying the attack scenario, the display control unit 8 firstdisplays the network topology on the display device 9. FIG. 11 is aschematic diagram showing an example of the display of the networktopology. For example, in the example shown in FIG. 11 , assumed thatthe data server 55 is designated as the first device by clicking theicon of the data server 55 by the administrator, and the administrativePC 53 is designated as the second device by clicking the icon of theadministrative PC 53. In this case, the display control unit 8 displaysan attack scenario from the data server 55 (the first device) to theadministrative PC 53 (the second device). In this case, an example ofthe display of the attack scenario is shown in FIG. 12 . In the exampleshown in FIG. 12 , the case where an attack scenario indicating atransition from the combination of “the data server 55, account holding,administrator privileges” to the combination of “administrative PC 53,arbitrary code execution, administrative privileges” is displayed isillustrated. In FIG. 12 , for simplicity of the drawing, the case wherethe above one attack scenario is displayed is illustrated, but theattack scenarios which are displayed are not limited to the above oneattack scenario. When there is an edge that fits inside the first icon41 or an edge that fits inside the second icon 42 based on the attackscenario, the display control unit 8 may the display attack scenarios bydisplaying those edges as well.

In the above example, the in-house Web server 54 is not designated asthe second device. Therefore, as illustrated in FIG. 10 , even if thereis an attack scenario that indicates a transition from the combinationof “the data server 55, arbitrary code execution, and generalprivileges” to the combination of “the in-house Web server 54, arbitrarycode execution, general privileges”, the display control unit 8 does notdisplay the attack scenario.

An upper limit may be set for the number of hops of the third icon 43 orthe number of hops of the device. For example, assumed that there aremultiple attack scenarios from the data server 55 (the first device) tothe administrative PC 53 (the second device). In this case, the displaycontrol unit 8 displays only those attack scenarios in which the numberof hops of the third icon 43 (which may be the number of hops of thedevice) is equal to or less than the upper limit among the multipleattack scenarios.

When the first device is designated, the display control unit 8 mayidentify a device that is a candidate for the second device based oneach attack scenario and display by emphasizing the icon of the device.For example, the icon of the device that is a candidate for the seconddevice may be emphasized by displaying it in a predetermined color, suchas red. There may be multiple devices that are candidates for the seconddevice. When the second device is designated by the administrator fromamong the devices that are candidates for the second device, the displaycontrol unit 8 displays an attack scenario from the first device to thesecond device.

According to the present example embodiment, an attack scenario from thefirst device to the second device is displayed. Therefore, theadministrator can narrow down the displayed attack scenario bydesignating the first device and second device. Therefore, theadministrator can prevent the attack scenario regarding the device notbeing paid attention from being displayed, and can prevent the attackscenario from becoming difficult to see by displaying a large number ofattack scenarios not being paid attention to.

In the above example, the case where the first device and second deviceare designated has been described. In the second example embodiment, onedevice may be designated from the outside. Hereinafter, a case where onedevice is designated by the administrator will be described as anexample.

When one device is designated by the administrator, the display controlunit 8 displays an attack scenario from the one device to anotherdevice. For example, assumed that the display control unit 8 displaysthe network topology illustrated in FIG. 11 and the data server 55 isdesignated by the administrator by clicking the icon of the data server55. In this case, the display control unit 8 displays attack scenariosfrom the data server 55 to other devices (in the example shown in FIG.10 , the administrative PC 53 and the in-house Web server 54), forexample, as illustrated in FIG. 10 . FIG. 10 has already been described,so the explanation is omitted here.

Even in this case, the number of hops of the third icon 43 or the numberof hops of the device may be set to an upper limit. For example, assumedthat there are multiple attack scenarios from one designated device toother devices. In such a case, the display control unit 8 displays onlythe attack scenarios in which the number of hops (which may be thenumber of hops of the device) of the third icon 43 is equal to or lessthan the upper limit among the plurality of attack scenarios.

Even in this case, it is possible to prevent the attack scenario frombecoming difficult to see by displaying a large number of attackscenarios that the administrator is not paying attention to.

In the above example, the case where the display control unit 8 displaysthe network topology and the device is designated by an operation suchas clicking on the icon included in the network topology has beendescribed. The method of designating the device is not limited to such amethod. When the network topology is not used when designating thedevice, the topology identification unit 14 (refer to FIG. 9 ) may notbe provided.

Example Embodiment 3

FIG. 13 is a block diagram showing an example of the analysis system ofthe third example embodiment of the present invention. The mattersdescribed in the first example embodiment are omitted from thedescription. The analysis system 1 of the third example embodimentcomprises a pattern table storage unit 11 and an attack pattern storageunit 7 in addition to each element provided by the analysis system 1 ofthe first example embodiment (refer to FIG. 2 ).

In the third example embodiment, the analysis unit 6 analyzes whether ornot it is possible to derive the fact that is the end point from thefact that is the start point, for each pair of the fact that is thestart point and the fact that is the end point. Then, the analysis unit6 generates an analysis scenario for the pair for which it is determinedthat it is possible to derive the fact that is the end point from thefact that is the start point. This operation of the analysis unit 6 isthe same as that of the analysis unit 6 in the first example embodiment.In the third example embodiment, the analysis unit 6 generates not onlyan analysis scenario but also an attack pattern for the pair for whichit is determined that it is possible to derive the fact that is the endpoint from the fact that is the start point. The attack pattern isinformation that includes at least an attack condition, an attackresult, and an attack means. The attack pattern may include otherinformation. The details of the attack pattern are described later.

In the third example embodiment, for example, when displaying an attackscenario, the display control unit 8 displays the attack patternassociated with the attack scenario. In other words, when displaying anattack scenario, the display control unit 8 displays the attack patterngenerated based on the pair (a pair of the fact that is the start pointand the fact that is the end point) on which the attack scenario isbased. Examples of displaying the attack scenario and the attack patternare described later.

Next, generation of attack patterns will be described. When the analysisunit 6 determines that it is possible to derive a fact that is the endpoint from the fact that is the start point, the analysis unit 6generates an attack pattern for the pair of facts. As described above,the attack pattern is information that includes at least an attackcondition, an attack result, and an attack means. Here, the attackcondition is a pair of the attack state and privileges at the startpoint, and the attack result is a pair of the attack state andprivileges at the end point. The attack means is vulnerability that anattacker uses to attack, or attack method (e.g., ArpSpoofing etc.). Theattack pattern may include information other than an attack condition,an attack result and an attack means.

FIG. 14 is a schematic diagram showing an example of an attack pattern.In the example shown in FIG. 14 , the attack pattern includes a patternnumber, an attack condition, an attack result, a pattern overview, anattack risk, user involvement, an attack means, and a segment. Relatingthe pattern number, the attack condition, the attack result, the patternoverview, the attack risk, and the user involvement are defined inadvance in the pattern table stored by the pattern table storage unit11. In some cases, the attack means is defined in advance for the pairof the attack condition and the attack result. The pattern table will bedescribed later.

As mentioned above, the attack condition is a pair of an attack stateand privileges at the start point, and the attack result is a pair of anattack state and privileges at the end point. The attack condition canbe identified from the attack state and privileges included in the factthat is the start point. The attack result can be identified from theattack state and privileges included in the fact that is the end point.

The pattern overview is a summarized description of the attack pattern.In FIG. 14 , the specific contents of the pattern overview are omitted.This is also true for FIG. 15 , which shows an example of a patterntable, described below.

The attack risk is a value that indicates the degree of impact of anattack on the system to be diagnosed.

The user involvement indicates whether the attack requires an operationby the attacker himself or herself from the local environment, forexample, through USB (Universal Serial Bus).

As described above, the attack means is vulnerability that an attackeruses to attack or attack method (e.g., ArpSpoofing, etc.).

There are two main types of security vulnerabilities. The first isvulnerability caused by software or device (routers, etc.) problems.Information on this vulnerability is collected and classified by variousorganizations, and the vulnerabilities are numbered accordingly. As anexample, in the common vulnerability identifier CVE, an identifier inthe form of “CVE-****-****” is assigned to each discoveredvulnerability. The second is vulnerability caused by a protocolspecification. Examples of the vulnerability are “FTP (File TransferProtocol) malicious use”, “Telnet malicious use” and “SMB (ServerMessage Block) malicious use”, etc. In the example embodiment of thepresent invention, the vulnerabilities include the first vulnerabilityand the second vulnerability.

The segment is a path between a device and other devices in the systemto be diagnosed, and a path between a device and itself To each segmentin the system to be diagnosed, identification information is assigned inadvance. “S1” and so on, shown as a segment illustrated in FIG. 14 , arethe identification information of the segment.

In the attack pattern, an attack means is defined according to theanalysis rule used to derive the fact that is the end point. However,the attack means may be predetermined for a pair of an attack state andan attack result.

In the attack pattern, the segment is defined according to the fact thatis the start point and the fact that is the end point.

A table in which the attack means defined according to the analysis ruleused to derive the fact that is the end point is set to be pending, thesegment is set to be pending, and other matters being not pending thatare included in the attack pattern are stored is called a pattern table.The pattern table is predetermined and stored in the pattern tablestorage unit 11.

FIG. 15 is a schematic diagram showing an example of a pattern table. InFIG. 15 , a blank field indicates that the information is set to bepending. The “ArpSpoofing” shown in FIG. 15 is a pre-determined attackmeans for a pair of an attack state and an attack result.

In each record of the pattern table, at least the pattern number, theattack condition, and the attack result are defined.

When the analysis unit 6 determines that it is possible to derive thefact that is the end point from the fact that is the start point, theanalysis unit 6 searches the pattern table (refer to FIG. 15 ) for arecord corresponding to the attack state and privileges included in thefact that is the start point, the attack state and privileges includedin the fact that is the end point, and the analysis rule used to derivethe fact that is the end point. Then, by identifying the pendinginformation in the found record, the attack pattern for the pair of thefact that is the start point and the fact that is the end point isgenerated.

In the pattern table illustrated in FIG. 15 , a pair of the attackcondition and the attack result of pattern number “1” and a pair of theattack condition and the attack result of pattern number “2” are common.In other words, there can be multiple records with a common set of anattack condition and an attack result. This means that there aremultiple analysis rules used to derive the facts that are the end pointsthat represent the same attack result, and the way the pendinginformation is defined differs depending on the difference in theanalysis rules. Each record in the pattern table that has a common setof an attack condition and an attack result is associated with adifferent analysis rule in advance. Depending on the associated analysisrule, the method of identifying the pending attack means in the recordwill be different.

FIG. 16 is a schematic diagram showing that facts that are the endpoints derived from a fact that is the start point are identical, butthe processes of deriving the facts that are the end points aredifferent, and the analysis rules used to derive the facts that are theend points are different. FIG. 16 shows an example where the end pointof the combination “Host B/data tampering/administrative privileges” isderived from the start point of the combination “Host A/arbitrary codeexecution/general privileges”. However, facts 61 and 62 are factsderived by different analysis rules. The fact 61 is a fact derived by ananalysis rule labeled “dataInject01”, and the fact 62 is a fact derivedby an analysis rule labeled “dataInject02”. Here, the analysis rulelabeled “dataInject01” is associated with record “1” in the patterntable illustrated in FIG. 15 . The analysis rule labeled “dataInject02”is associated with record “2” in the pattern table. Therefore, themethod of deriving the attack means is different between record “1” andrecord “2”, which share the same set of an attack condition and anattack result.

FIG. 17 shows an example of an analysis rule labeled “dataInject01”.When the analysis rule illustrated in FIG. 17 is used to derive a factthat is the end point, the analysis unit 6 searches for record “1”,which is associated with the analysis rule illustrated in FIG. 17 ,among the records including the attack condition “arbitrary codeexecution/general privileges” and the attack result “datatampering/administrative privileges”. Then, the analysis unit 6generates a new attack pattern by identifying the attack means and thesegment in the record. In the case of identifying the attack means ofrecord “1” associated with the analysis rule illustrated in FIG. 17 ,the analysis unit 6 may identify the vulnerability identificationinformation assigned to the wildcard “CVEID” (refer to FIG. 17 )regarding the vulnerability identification information described in thesecond line element of the analysis rule when deriving the fact that isthe end point. As a result, the analysis unit 6 identifies“CVE-2010-000x”, for example, as the attack means for record “1”. Inaddition, the analysis unit 6 may identify identification information ofthe segment that indicates a route from the device included in the factthat is the start point to the device included in the fact that is theend point, as the segment of record “1”.

FIG. 18 shows an example of an analysis rule labeled “dataInject02”.When the analysis rule illustrated in FIG. 18 is used to derive the factthat is the end point, the analysis unit 6 searches for record “2”,which is associated with the analysis rule illustrated in FIG. 18 ,among the records including the attack condition “arbitrary codeexecution/general privileges” and the attack result “datatampering/administrative privileges”. Then, the analysis unit 6generates a new attack pattern by identifying the attack means and thesegment in the record. In the case of identifying the attack means forrecord “2”, which is associated with the analysis rule illustrated inFIG. 18 , the analysis unit 6 generates a new attack pattern byidentifying the attack means and segment for that record. In the case ofidentifying the attack means of record “2” associated with the analysisrule illustrated in FIG. 18 , the analysis unit 6 may identifyinformation assigned to the variable “Flow” (refer to FIG. 18 ) in thethird line element “data flow (SrcHost, DstHost, Flow)” of this analysisrule when deriving the fact that is the end point, and identify theprotocol that corresponds to the information. The correspondence betweenthe information assigned to the variable “Flow” and the protocol isknown in advance when analyzing whether or not it is possible to derivethe fact that is the end point from the fact that is the start point. Asa result, the analysis unit 6 identifies “SMB (i.e., malicious use ofSMB)”, for example, as the attack means for record “2”. In addition, theanalysis unit 6 may identify identification information of the segmentthat indicates a route from the device included in the fact that is thestart point to the device included in the fact that is the end point, asthe segment of record “2”.

In the above, examples of the operation of identifying the attack meanshave been shown, using the analysis rule illustrated in FIG. 17 or inFIG. 18 when deriving the fact that is the end point. However, theoperation to identify the attack means is not limited to the aboveexamples. When the analysis unit 6 identifies an attack means for arecord in the pattern table that includes the attack condition and theattack result known from the fact that is the start point and the factthat is the end point, and that is associated with the analysis ruleused when deriving the fact that is the end point, and that isassociated with the analysis rule used for deriving the fact that is theend point, the analysis unit 6 may identify the attack means using themethod defined for the analysis rule.

In some cases, such as the record “3” shown in FIG. 15 , the attackmeans (in this case, ArpSpoofing) is defined in advance for the pair ofthe attack condition and the attack result. If the analysis unit 6 findssuch a record, the analysis unit 6 can generate an attack pattern thatincludes the attack means already defined in that record.

When identifying the segment, the analysis unit 6 may identify theidentification information of the segment that shows the path from thedevice included in the fact that is the start point to the deviceincluded in the fact that is the end point.

When the analysis unit 6 determines that it is possible to derive thefact that is the end point from the fact that is the start point, theanalysis unit 6 generates an attack pattern that includes the attackstate and privileges included in the fact that is the start point, theattack state and privileges included in the fact that is the end point,the decided information included in the record corresponding to theanalysis rule used to derive the fact that is the end point, and theattack means and the segment identified described above.

Here, the attack condition included in the generated attack patterncorresponds to the attack state and privileges included in the fact thatis the start point, and the attack result included in the attack patterncorresponds to the attack state and privileges included in the fact thatis the end point.

The analysis unit 6 generates one or more pairs of a fact that is thestart and a fact that is the end point. Therefore, it is possible thatthe same record may be retrieved from the pattern table multiple times.In such a case, the analysis unit 6 can identify the pending matter inthe record each time it is retrieved, and add the newly identifiedmatter to the attack pattern.

FIG. 14 shows an example of an attack pattern generated by the analysisunit 6 as described above.

The analysis unit 6 stores the generated attack pattern in the attackpattern storage unit 7. The attack pattern storage unit 7 is a storagedevice that stores the attack patterns.

The pattern table storage unit 11 and the attack pattern storage unit 7are realized by the storage device provided by the computer.

Next, an example of the display of an attack scenario and an attackpattern will be described. As described above, when displaying an attackscenario, the display control unit 8 displays the attack patterngenerated based on the pair (a pair of the fact that is the start pointand the fact that is the end point) on which the attack scenario isbased. FIG. 19 is a schematic diagram showing an example of the displayof an attack scenario and an attack pattern.

For example, as illustrated in FIG. 19 , the display control unit 8 maydisplay a list of attack patterns, along with displaying the patternnumbers of the attack patterns generated based on the pairs on which theattack scenario is based, in association with the edges representing theattack scenario. With such a display, the administrator can grasp theattack pattern associated with the attack scenario.

The mode in which an attack pattern associated with an attack scenariois displayed is not limited to the example shown in FIG. 19 . Forexample, the display control unit 8 displays the pattern numbers of theattack patterns generated based on the pairs on which the attackscenario is based, in association with the edge representing the attackscenario, and when a click or other operation is performed on thedisplayed pattern number, the attack pattern of the pattern number maybe displayed.

In the present example embodiment, in step S9 (refer to FIG. 7 ), inaddition to the operation of step 9 in the first example embodiment, theanalysis unit 6 may also perform an operation of generating an attackpattern in the selected pair and storing the attack pattern in theattack pattern storage unit 7. Further, in step S10 (refer to FIG. 8 ),in addition to the operation of step 10 in the first example embodiment,the display control unit 8 may also perform an operation of displayingan attack pattern associated with an attack scenario.

According to the present example embodiment, since the analysis unit 6displays not only an attack scenario but also an attack pattern, it ispossible to present the analysis result regarding the attack to theadministrator more specifically.

A modification of the first example embodiment or the second exampleembodiment may be applied to the third example embodiment.

In each of the example embodiments, it has been explained that theanalysis unit 6 generates a combination of one of the devices, one ofthe multiple types of attack states, and one of the privileges that cancorrespond to the attack target as the fact that is the start point orthe fact that is the end point of the attack graph. When generating thefact that is the start point and the fact that is the end point of theattack graph, the analysis unit 6 does not include the privileges in thecombination, but instead generates a combination of one of the devicesand one of the multiple types of attack states as the fact that is thestart point or the fact that is the end point. In other words, each ofthe fact that is the start point and the fact that is the end point maybe at least a pair of a device and an attack state. In this case, theanalysis unit 6 may generate a combination of one of the devices and oneof the multiple attack states as the fact that is the start point of theattack graph and a combination of one of the devices and one of themultiple attack states as the fact that is the end point of the attackgraph.

The analysis unit 6 may first generate combinations that excludeprivileges as the fact that is the start point and the fact that is theend point, analyze whether it is possible to derive the fact that is theend point from the fact that is the start point, and when it isdetermined that it is possible to derive the fact that is the end pointfrom the fact that is the start point, the analysis unit 6 may newlygenerate a combination including the device, attack state, andprivileges for the fact that is the start point and the fact that is theend point. Then, the analysis unit 6 may analyze whether or not it ispossible to derive the fact that is the end point from the fact that isthe start point again. This process can efficiently generate an attackscenario and an attack pattern while preventing redundant analysis thatmay occur when generating a combination that excludes privileges for thefact that is the start point or the fact that is the end point. Whengenerating combination that exclude privileges as the fact that is thestart point or the end point, it is sufficient to exclude privilegesfrom the attack condition and the attack result in the pattern table aswell.

Example Embodiment 4

In the analysis system of the fourth example embodiment of the presentinvention, an attack graph regarding the system to be diagnosed isinput. Based on the attack graph, the analysis system of the fourthexample embodiment determines pairs of combination nodes, which arenodes that indicate combinations of devices, attack states, andprivileges, and generates an attack scenario for each pair ofcombination nodes. The attack scenario is the same as the attackscenarios in each of the aforementioned example embodiments.

FIG. 20 is a block diagram showing an example of the analysis system ofthe fourth example embodiment of the present invention. Elements thatare the same as in the first example embodiment are marked with the samesign as in FIG. 2 , and a detailed description is omitted. However, theoperation of the analysis unit 6 is partially different from that of theanalysis unit 6 in the first example embodiment. The operation of theanalysis unit 6 in the present example embodiment will be explained asappropriate. The analysis system 1 of the fourth example embodimentcomprises an input unit 12, the analysis unit 6, the attack scenariostorage unit 19, the display control unit 8 and display device 9. Theattack scenario storage unit 19, the display control unit 8, and thedisplay device 9 are the same as the attack scenario storage unit 19,the display control unit 8, and the display device 9 in the firstexample embodiment.

An attack graph regarding the system to be diagnosed is input to theinput unit 12. The input unit 12 is realized by an input device (e.g., adata reader that reads data recorded on a recording medium) that servesas an input interface for the attack graph. The analysis unit 6 receivesthe input of the attack graph via the input unit 12.

The attack graph that is input to the input unit 12 is generated inadvance. FIG. 21 is a schematic diagram showing an example of an attackgraph input to input unit 12. Each node included in the attack graphrepresents a fact. In other words, each node included in the attackgraph corresponds to a fact.

The input attack graph includes nodes corresponding to facts generatedbased on information about each device in the system to be diagnosed,and nodes corresponding to facts generated based on already-generatednodes and analysis rules. In FIG. 21 , the nodes corresponding to thefacts generated based on the information about each device in the systemto be diagnosed are represented by rectangles, and the nodescorresponding to the facts generated based on the already-generatednodes and analysis rules are represented by circles.

The attack graph also includes a plurality of combination nodes. Acombination node is a node that represents a combination of a device, anattack state, and privileges. In other words, a combination node is anode that corresponds to a fact that corresponds to a combination of adevice, an attack state, and privileges. The device indicated by a nodeis represented, for example, by a device ID. In addition, the attackstate and the privileges are the same as the attack state and theprivileges shown in the first example embodiment. In FIG. 21 ,combination nodes are shown in oblique lines. Also, in the example shownin FIG. 21 , four combination nodes 91, 92, 93, and 94 are shown in thefigure.

When the analysis unit 6 receives the input of the attack graph viainput unit 12, the analysis unit 6 searches for all pairs of acombination node and the next combination node of the combination nodefrom the attack graph. When searching for pairs of combination nodes,the analysis unit 6 searches for pairs consisting of two combinationnodes so that the condition that there are no other combination nodes onthe path between the two combination nodes is satisfied. For example,when the attack graph illustrated in FIG. 21 is given, the analysis unit6 searches for a pair consisting of combination nodes 91, 92, a pairconsisting of combination nodes 92, 93, and a pair consisting ofcombination nodes 92, 94.

Pairs that do not satisfy the above conditions include, for example, apair of combination nodes 91, 94. There are other combination nodes 92on the path between the combination nodes 91, 94 (refer to FIG. 21 ).Therefore, the analysis unit 6 does not consider the pair of combinationnodes 91, 94 as a target of the search.

Of the two paired combination nodes, the upstream combination node inthe attack graph is denoted as a start point combination node. Of thetwo paired combination nodes, the downstream combination node in theattack graph is denoted as an end point combination node. For example,in a pair consisting of combination nodes 91, 92, the combination node91 is the start point combination node, and the combination node 92 isthe end point combination node.

For each obtained pair, the analysis unit 6 generates an attack scenario(information that represents a transition relationship of a combinationof a device, an attack state, and privileges that can correspond to theattack state). For each pair, the analysis unit 6 may generateinformation that indicates a transition from the “combination of adevice, an attack state, and privileges” corresponding to the startpoint combination node to the “combination of a device, an attack state,and privileges” corresponding to the end point combination node as anattack scenario.

The analysis unit 6 then stores the attack scenario generated for eachpair of combination nodes in the attack scenario storage unit 19.

The display control unit 8 displays each attack scenario generated bythe analysis unit 6 on the display device 9. The display mode of theattack scenarios may, for example, be the same as the display mode inthe first example embodiment. That is, the display control unit 8displays a second icon representing privileges in a first iconrepresenting a device and displays a third icon representing the attackstate in the second icon for the start point combination node in thepair of combination nodes, and displays a second icon representingprivileges in a first icon representing a device and displays a thirdicon representing the attack state in the second icon also for the endpoint combination node in the pair of combination nodes. The displaycontrol unit 8 may then display an edge extending from the third iconcorresponding to the start point combination node to the third iconcorresponding to the end point combination node.

Further, the display control unit 8 may omit displaying the second iconand display the third icon in the first icon in a predetermined case.The above predetermined case is the case where the privilege is “norelevant privileges”. This point is the same as in the first exampleembodiment.

In the fourth example embodiment, the analysis unit 6 and the displaycontrol unit 8 are realized by a CPU of a computer that operatesaccording to an analysis program, for example. For example, the CPU canread the analysis program from a program storage medium such as aprogram storage device, etc. of the computer, and operate as theanalysis unit 6 and the display control unit 8 according to the analysisprogram. For example, the attack scenario storage unit 19 is realized bythe storage device provided by the computer.

Next, the processing process will be described. FIG. 22 is a flowchartshowing an example of the processing process of the analysis system ofthe fourth example embodiment of the present invention. The mattersalready explained are omitted.

First, the analysis unit 6 receives the input of the attack graph viathe input unit 12 (step S21).

The analysis unit 6 searches for all pairs of a combination node and thenext combination node, from the attack graph (step S22).

Next, the analysis unit 6 determines whether or not all the pairs ofcombination nodes obtained in step S22 have been selected in step S24(step S23). If there are unselected pairs (No in Step S23), the processmoves to step S24.

In step S24, the analysis unit 6 selects one of the pairs of combinationnodes obtained in step S22 that has not yet been selected.

Next, the analysis unit 6 generates an attack scenario for the pairselected in step S24, and stores the attack scenario in the attackscenario storage unit 19 (step S25). After step S25, the analysis unit 6repeats the process from step S23.

When the analysis unit 6 determines that all the pairs of combinationnodes obtained in step S22 have already been selected in step S24 (Yesin step S23), the display control unit 8 reads each attack scenariostored in the attack scenario storage unit 19 and displays each attackscenario on the display device 9 (step S26).

In the fourth example embodiment, it is also possible to present theanalysis results for a system to be diagnosed so that an attack order,etc. can be easily understood.

A modification of the first example embodiment may be applied to thefourth example embodiment. That is, the analysis system 1 of the fourthexample embodiment (refer to FIG. 20 ) may comprise a topologyidentification unit that identifies the network topology of the devicesincluded in the system to be diagnosed. For example, the topologyidentification unit may identify the network topology of each devicebased on a configuration of the network topology given by theadministrator. The topology identification unit is realized, forexample, by the CPU of the computer that operates according to ananalysis program. This point is the same as a modification of the firstexample embodiment. The display control unit 8 may then display theattack scenario superimposed on the network topology. The example ofdisplaying the attack scenario superimposed on the network topology hasbeen described in the modification of the first example embodiment, andthe explanation is omitted here.

The second example embodiment may be applied to the fourth exampleembodiment. That is, when the first device and second device aredesignated from the outside (e.g., an administrator), the displaycontrol unit 8 may display an attack scenario from the first device tothe second device. Alternatively, when one device is designated from theoutside (e.g., an administrator), the display control unit 8 may displayattack scenarios from the one device to other devices. Examples of thesedisplays are described in the second example embodiment, and theexplanation is omitted here.

The third example embodiment may also be applied to the fourth exampleembodiment. That is, the analysis unit 6 may generate not only an attackscenario but also an attack pattern for each pair of combination nodes,and the display control unit 8 may display the attack patternsassociated with the attack scenarios along with the attack scenarios. Inthis case, the analysis system 1 of the fourth example embodiment alsocomprises, in addition to each of the elements shown in FIG. 20 , thepattern table storage unit 11 and the attack pattern storage unit 7 inthe third example embodiment. The pattern table stored by the patterntable storage unit 11 has already been described in the third exampleembodiment, and the explanation is omitted here.

When the third example embodiment is applied to the fourth exampleembodiment, an attack graph regarding the system to be diagnosed and theanalysis rules used to derive the facts corresponding to the nodesincluded in the attack graph are input to the input unit 12. Theanalysis unit 6 receives the input of the attack graph and each analysisrule via the input unit 12. FIG. 23 is a schematic diagram showingexamples of the attack graph and each analysis rule that is input to theinput unit 12. The matters already explained with reference to FIG. 21are omitted.

In FIG. 23 , the “a”, “b”, “c”, . . . , etc., signs shown near the nodescorresponding to the facts generated based on the already-generatednodes and analysis rules represent the analysis rules used to derive thefacts. The analysis rule used to derive the fact is associated with thenode corresponding to the fact. Each analysis rule associated with eachnode is then input to the input unit 12 along with the attack graph.

When the third example embodiment is applied to the fourth exampleembodiment, the analysis unit 6 generates not only an attack scenariobut also an attack pattern (information that includes at least an attackcondition, an attack result, and an attack means) for each pair ofcombination nodes. Hereinafter, generation of attack patterns will bedescribed.

When focusing on one pair of combination nodes, the analysis unit 6generates an attack pattern based on the attack state and the privilegesindicated by the start point combination node in the pair, the attackstate and the privileges indicated by the end point combination node inthe pair, and the analysis rule used to derive the fact corresponding tothe end point combination node. The analysis rule used to derive thefact corresponding to the end point combination node is associated withthat end point combination node. Therefore, the analysis unit 6 is ableto identify the analysis rule used to derive the fact corresponding tothe end point combination node.

The operation of generating the attack pattern based on the attack stateand the privileges indicated by the start point combination node in thepair, the attack state and the privileges indicated by the end pointcombination node in the pair, and the analysis rule used to derive thefact corresponding to the end point combination node is the same as theoperation of generating the attack pattern based on the attack state andprivileges included in the fact that is the start point, the attackstate and privileges included in the fact that is the end point, and theanalysis rule used to derive the fact that is the end point in the thirdexample embodiment. In other words, the analysis unit 6 searches arecord, from the pattern table (refer to FIG. 15 ), according to theattack state and the privileges indicated by the start point combinationnode in the pair, the attack state and the privileges indicated by theend point combination node in the pair, and the analysis rule used toderive the fact corresponding to the combination node at the endingpoint. Then, by identifying the undetermined information in the searchedrecord, the attack pattern for the pair in focus is generated.

The analysis unit 6 determines the attack means included in the attackpattern based on the analysis rule used to derive the fact correspondingto the end point combination node in the pair. This operation is similarto the operation of determining the attack means based on the analysisrule in the third example embodiment. In the third example embodiment,the operation of determining the attack means based on the analysisrules is described, for example, with reference to FIGS. 17 and 18 .However, as described in the third example embodiment, the operation ofidentifying the attack means is not limited to the example in the caseof using the analysis rules illustrated in FIG. 17 or in the case ofusing the analysis rules illustrated in FIG. 18 . The analysis unit 6may identify the attack means in a manner defined according to theanalysis rule.

In some cases, such as the record “3” shown in FIG. 15 , the attackmeans (in this case, ArpSpoofing) has been defined in advance for thepair of attack condition and attack result. When the analysis unit 6searches for such a record, the analysis unit 6 can generate an attackpattern that includes the attack means that has already been defined inthe record.

When identifying a segment, the analysis unit 6 may identify theidentification information of the segment that indicates the route fromthe device indicated by the start point combination node in the pair tothe device indicated by the end point combination node in the pair.

The analysis unit 6 then generates an attack pattern that includes thedetermined information included in the searched record and theidentified attack means and the segment.

Here, the attack condition included in the generated attack pattern isthe attack state and privileges indicated by the start point combinationnode in the pair, and the attack result included in the attack patternis the attack state and privileges indicated by the end pointcombination node in the pair.

The analysis unit 6 stores the attack pattern generated for each pair ofcombination nodes in the attack pattern storage unit 7.

The display control unit 8 displays the attack patterns associated withthe attack scenario along with the attack scenarios. This display modehas already been described with reference to FIG. 19 , and theexplanation is omitted here.

FIG. 24 is a schematic block diagram of a configuration example of acomputer for an analysis system of each example embodiment of thepresent invention. The computer comprises a CPU 1001, a main memory1002, an auxiliary memory 1003, an interface 1004, a display device 1005and a communication interface 1006. The computer 1000 that realizes theanalysis system 1 of the fourth example embodiment comprises an inputdevice (not shown in FIG. 24 ) that corresponds to the input unit 12.

The analysis system 1 of each example embodiment of the presentinvention is realized by a computer 1000. The operation of the analysissystem 1 is stored in the auxiliary memory 1003 in the form of ananalysis program. The CPU 1001 reads the analysis program from theauxiliary memory 1003, deploys the program to the main memory 1002, andexecutes the processes described in above each example embodimentaccording to the analysis program.

The auxiliary memory 1003 is an example of a non-transitory tangiblemedium. Other examples of non-transitory tangible media are a magneticdisk, an optical magnetic disk, a CD-ROM (Compact Disk Read OnlyMemory), a DVD-ROM (Digital Versatile Disk Read Only Memory), asemiconductor memory, and the like, which are connected through theinterface 1004. When the program is delivered to the computer 1000through a communication line, the computer 1000 that receives thedelivery may develop the program into the main memory 1002 and executesthe process of each example embodiment according to the program.

Some or all of the components may be realized by general-purpose ordedicated circuitry, processors, or a combination of these. They may beconfigured by a single chip or by multiple chips connected through abus. Some or all of the components may be realized by a combination ofthe above-mentioned circuitry, etc. and a program.

When some or all of each component is realized by multiple informationprocessing devices, circuits, etc., the multiple information processingdevices, circuits, etc. may be centrally located or distributed. Forexample, the information processing devices, circuits, etc. may beimplemented as a client-and-server system, cloud computing system, etc.,each of which is connected through a communication network.

Next, a summary of the present invention will be described. FIG. 25 is ablock diagram showing a summarized analysis system of the presentinvention. The analysis system of the present invention comprises a factgeneration unit 4 and an analysis unit 6.

The fact generation unit 4 generates a fact which is data representing asecurity situation of a system to be diagnosed, based on informationregarding each device included in the system to be diagnosed.

The analysis unit 6 generates one or more pairs of a start point factwhich is a fact representing possibility of an attack in the device thatis a start point and an end point fact which is a fact representingpossibility of an attack in the device that is an end point, analyzes,for each pair, whether or not it is possible to derive the end pointfact from the start point fact, based on facts representing states ofthe devices generated based on information regarding the device that isthe start point and information regarding the device that is the endpoint, the start point fact, and one or more analysis rules foranalyzing the attack, and generates an attack scenario which isinformation that represents a transition relationship of a combinationof the device, an attack state, and privileges that can correspond tothe attack state according to the start point fact and the end pointfact, in a case where it is possible to derive the end point fact fromthe start point fact.

With such a configuration, it is possible to present the analysisresults for a system to be diagnosed so that an attack order, etc. canbe easily understood.

FIG. 26 is a block diagram showing another example of a summarizedanalysis system of the present invention. The analysis systemillustrated in FIG. 26 comprises an input unit 12 and an analysis unit6.

An attack graph regarding a system to be diagnosed is input to the inputunit 12.

The analysis unit 6 searches for a pair of a combination node indicatinga combination of a device, an attack state, and privileges, and acombination node next to the combination node, and generates an attackscenario which is information that represents a transition relationshipof a combination of the device, the attack state, and the privilegesthat can correspond to the attack state, for each pair of thecombination nodes.

Even with such a configuration, it is possible to present the analysisresults for a system to be diagnosed so that an attack order, etc. canbe easily understood.

Each example embodiment of the present invention described above mayalso be described as supplementary notes below, but is not limited tothe following.

(Supplementary Note 1)

An analysis system comprising:

-   -   a fact generation unit which generates a fact which is data        representing a security situation of a system to be diagnosed,        based on information regarding each device included in the        system to be diagnosed; and    -   an analysis unit which generates one or more pairs of a start        point fact which is a fact representing possibility of an attack        in the device that is a start point and an end point fact which        is a fact representing possibility of an attack in the device        that is an end point, analyzes, for each pair, whether or not it        is possible to derive the end point fact from the start point        fact, based on facts representing states of the devices        generated based on information regarding the device that is the        start point and information regarding the device that is the end        point, the start point fact, and one or more analysis rules for        analyzing the attack, and generates an attack scenario which is        information that represents a transition relationship of a        combination of the device, an attack state, and privileges that        can correspond to the attack state according to the start point        fact and the end point fact, in a case where it is possible to        derive the end point fact from the start point fact.

(Supplementary Note 2)

The analysis system according to Supplementary note 1, wherein

-   -   the analysis unit    -   generates a combination of one of the devices, one of multiple        types of attack states defined in advance, and one of privileges        that can correspond to the attack state, as the start point        fact, and    -   generates a combination of one of the devices, one of the        multiple types of the attack states, and one of privileges that        can correspond to the attack state, as the end point fact.

(Supplementary Note 3)

The analysis system according to Supplementary note 1 or 2, furthercomprising:

-   -   a display control unit which displays the attack scenario        generated by the analysis unit on a display device.

(Supplementary Note 4)

The analysis system according to Supplementary note 3, wherein

-   -   the display control unit displays the attack scenario by        displaying a second icon representing the privileges in a first        icon representing the device, displaying a third icon        representing the attack state in the second icon, for each of        the start point fact and the end point fact, and displaying an        edge extending from the third icon corresponding to the start        point fact to the third icon corresponding to the end point        fact, and    -   omits displaying the second icon in a predetermined case.

(Supplementary Note 5)

The analysis system according to Supplementary note 3 or 4, wherein

-   -   when a first device and a second device are designated from        outside, the display control unit displays the attack scenario        from the first device to the second device.

(Supplementary Note 6)

The analysis system according to Supplementary note 3 or 4, wherein

-   -   when one device is designated from outside, the display control        unit displays the attack scenario from the one device to another        device.

(Supplementary Note 7)

The analysis system according to any one of Supplementary notes 3 to 6,further comprising

-   -   a topology identification unit which identifies a network        topology of devices included in the system to be diagnosed,    -   wherein the display control unit displays the attack scenario        superimposed on the network topology.

(Supplementary Note 8)

The analysis system according to any one of Supplementary notes 3 to 7,wherein

-   -   in the case where it is possible to derive the end point fact        from the start point fact, the analysis unit generates an attack        pattern that includes at least an attack condition, an attack        result, and an attack means, and    -   wherein the display control unit displays the attack pattern        associated with the attack scenario along with the attack        scenario.

(Supplementary Note 9)

An analysis system comprising:

-   -   an input unit to which an attack graph regarding a system to be        diagnosed is input, and    -   an analysis unit which searches for a pair of a combination node        indicating a combination of a device, an attack state, and        privileges, and a combination node next to the combination node,        and generates an attack scenario which is information that        represents a transition relationship of a combination of the        device, the attack state, and the privileges that can correspond        to the attack state, for each pair of the combination nodes.

(Supplementary Note 10)

The analysis system according to Supplementary note 9, furthercomprising

-   -   a display control unit which displays the attack scenario        generated by the analysis unit on a display device.

(Supplementary Note 11)

The analysis system according to Supplementary note 10, wherein

-   -   the display control unit displays the attack scenario by        displaying a second icon representing the privileges in a first        icon representing the device, displaying a third icon        representing the attack state in the second icon, for each of a        start point combination node and an end point combination node        in a pair of the combination nodes, and displaying an edge        extending from the third icon corresponding to the start point        combination node to the third icon corresponding to the end        point combination node, and    -   omits displaying the second icon in a predetermined case.

(Supplementary Note 12)

The analysis system according to Supplementary note 10 or 11, wherein

-   -   when a first device and a second device are designated from        outside, the display control unit displays the attack scenario        from the first device to the second device.

(Supplementary Note 13)

The analysis system according to Supplementary note 10 or 11, wherein

-   -   when one device is designated from outside, the display control        unit displays the attack scenario from the one device to another        device.

(Supplementary Note 14)

The analysis system according to any one of Supplementary notes 10 to13, further comprising:

-   -   a topology identification unit which identifies a network        topology of the devices included in the system to be diagnosed,    -   wherein the display control unit displays the attack scenario        superimposed on the network topology.

(Supplementary Note 15)

The analysis system according to any one of Supplementary notes 10 to14, wherein

-   -   the analysis unit generates an attack pattern that includes at        least an attack condition, an attack result, and an attack        means, for each pair of the combination nodes, and    -   wherein the display control unit displays the attack pattern        associated with the attack scenario along with the attack        scenario.

(Supplementary Note 16)

An analysis method, wherein one or more computers

-   -   generate a fact which is data representing a security situation        of a system to be diagnosed, based on information regarding each        device included in the system to be diagnosed; and    -   generate one or more pairs of a start point fact which is a fact        representing possibility of an attack in the device that is a        start point and an end point fact which is a fact representing        possibility of an attack in the device that is an end point,        analyze, for each pair, whether or not it is possible to derive        the end point fact from the start point fact, based on facts        representing states of the devices generated based on        information regarding the device that is the start point and        information regarding the device that is the end point, the        start point fact, and one or more analysis rules for analyzing        the attack, and generate an attack scenario which is information        that represents a transition relationship of a combination of        the device, an attack state, and privileges that can correspond        to the attack state according to the start point fact and the        end point fact, in a case where it is possible to derive the end        point fact from the start point fact.

(Supplementary Note 17)

An analysis method, wherein one or more computers

-   -   receive an input of an attack graph regarding a system to be        diagnosed, and    -   search for a pair of a combination node indicating a combination        of a device, an attack state, and privileges, and a combination        node next to the combination node, and generate an attack        scenario which is information that represents a transition        relationship of a combination of the device, the attack state,        and the privileges that can correspond to the attack state, for        each pair of the combination nodes.

(Supplementary Note 18)

An analysis program causing a computer to execute:

-   -   a fact generation process of generating a fact which is data        representing a security situation of a system to be diagnosed,        based on information regarding each device included in the        system to be diagnosed; and    -   an analysis process of generating one or more pairs of a start        point fact which is a fact representing possibility of an attack        in the device that is a start point and an end point fact which        is a fact representing possibility of an attack in the device        that is an end point, analyzing, for each pair, whether or not        it is possible to derive the end point fact from the start point        fact, based on facts representing states of the devices        generated based on information regarding the device that is the        start point and information regarding the device that is the end        point, the start point fact, and one or more analysis rules for        analyzing the attack, and generating an attack scenario which is        information that represents a transition relationship of a        combination of the device, an attack state, and privileges that        can correspond to the attack state according to the start point        fact and the end point fact, in a case where it is possible to        derive the end point fact from the start point fact.

(Supplementary Note 19)

An analysis program causing a computer to execute:

-   -   a receiving input process of receiving an input of an attack        graph regarding a system to be diagnosed, and    -   an analysis process of searching for a pair of a combination        node indicating a combination of a device, an attack state, and        privileges, and a combination node next to the combination node,        and generating an attack scenario which is information that        represents a transition relationship of a combination of the        device, the attack state, and the privileges that can correspond        to the attack state, for each pair of the combination nodes.

Although the invention of the present application has been describedabove with reference to the example embodiments, the present inventionis not limited to the above example embodiments. Various changes can bemade to the configuration and details of the present invention that canbe understood by those skilled in the art within the scope of thepresent invention.

INDUSTRIAL APPLICABILITY

The present invention is suitably applied to an analysis system thatanalyzes attacks on systems to be diagnosed.

REFERENCE SIGNS LIST

1 Analysis system

2 Data collection unit

3 Data storage unit

4 Fact generation unit

5 Analysis rule storage unit

6 Analysis unit

7 Attack pattern storage unit

8 Display control unit

9 Display device

11 Pattern table storage unit

14 Topology identification unit

19 Attack scenario storage unit

What is claimed is:
 1. An analysis system comprising: a fact generation unit which generates a fact which is data representing a security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and an analysis unit which generates one or more pairs of a start point fact which is a fact representing possibility of an attack in the device that is a start point and an end point fact which is a fact representing possibility of an attack in the device that is an end point, analyzes, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generates an attack scenario which is information that represents a transition relationship of a combination of the device, an attack state, and privileges that can correspond to the attack state according to the start point fact and the end point fact, in a case where it is possible to derive the end point fact from the start point fact.
 2. The analysis system according to claim 1, wherein the analysis unit generates a combination of one of the devices, one of multiple types of attack states defined in advance, and one of privileges that can correspond to the attack state, as the start point fact, and generates a combination of one of the devices, one of the multiple types of the attack states, and one of privileges that can correspond to the attack state, as the end point fact.
 3. The analysis system according to claim 1, further comprising: a display control unit which displays the attack scenario generated by the analysis unit on a display device.
 4. The analysis system according to claim 3, wherein the display control unit displays the attack scenario by displaying a second icon representing the privileges in a first icon representing the device, displaying a third icon representing the attack state in the second icon, for each of the start point fact and the end point fact, and displaying an edge extending from the third icon corresponding to the start point fact to the third icon corresponding to the end point fact, and omits displaying the second icon in a predetermined case.
 5. The analysis system according to claim 3, wherein when a first device and a second device are designated from outside, the display control unit displays the attack scenario from the first device to the second device.
 6. The analysis system according to claim 3, wherein when one device is designated from outside, the display control unit displays the attack scenario from the one device to another device.
 7. The analysis system according to claim 3, further comprising: a topology identification unit which identifies a network topology of devices included in the system to be diagnosed, wherein the display control unit displays the attack scenario superimposed on the network topology.
 8. The analysis system according to claim 3, wherein in the case where it is possible to derive the end point fact from the start point fact, the analysis unit generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, and wherein the display control unit displays the attack pattern associated with the attack scenario along with the attack scenario.
 9. An analysis system comprising: an input unit to which an attack graph regarding a system to be diagnosed is input, and an analysis unit which searches for a pair of a combination node indicating a combination of a device, an attack state, and privileges, and a combination node next to the combination node, and generates an attack scenario which is information that represents a transition relationship of a combination of the device, the attack state, and the privileges that can correspond to the attack state, for each pair of the combination nodes.
 10. The analysis system according to claim 9, further comprising: a display control unit which displays the attack scenario generated by the analysis unit on a display device.
 11. The analysis system according to claim 10, wherein the display control unit displays the attack scenario by displaying a second icon representing the privileges in a first icon representing the device, displaying a third icon representing the attack state in the second icon, for each of a start point combination node and an end point combination node in a pair of the combination nodes, and displaying an edge extending from the third icon corresponding to the start point combination node to the third icon corresponding to the end point combination node, and omits displaying the second icon in a predetermined case.
 12. The analysis system according to claim 10, wherein when a first device and a second device are designated from outside, the display control unit displays the attack scenario from the first device to the second device.
 13. The analysis system according to claim 10, wherein when one device is designated from outside, the display control unit displays the attack scenario from the one device to another device.
 14. The analysis system according to claim 10, further comprising: a topology identification unit which identifies a network topology of the devices included in the system to be diagnosed, wherein the display control unit displays the attack scenario superimposed on the network topology.
 15. The analysis system according to claim 10, wherein the analysis unit generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of the combination nodes, and wherein the display control unit displays the attack pattern associated with the attack scenario along with the attack scenario.
 16. An analysis method, wherein one or more computers generate a fact which is data representing a security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and generate one or more pairs of a start point fact which is a fact representing possibility of an attack in the device that is a start point and an end point fact which is a fact representing possibility of an attack in the device that is an end point, analyze, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generate an attack scenario which is information that represents a transition relationship of a combination of the device, an attack state, and privileges that can correspond to the attack state according to the start point fact and the end point fact, in a case where it is possible to derive the end point fact from the start point fact.
 17. An analysis method, wherein one or more computers receive an input of an attack graph regarding a system to be diagnosed, and search for a pair of a combination node indicating a combination of a device, an attack state, and privileges, and a combination node next to the combination node, and generate an attack scenario which is information that represents a transition relationship of a combination of the device, the attack state, and the privileges that can correspond to the attack state, for each pair of the combination nodes.
 18. A non-transitory computer-readable recording medium in which an analysis program is recorded, the analysis program causing a computer to execute: a fact generation process of generating a fact which is data representing a security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and an analysis process of generating one or more pairs of a start point fact which is a fact representing possibility of an attack in the device that is a start point and an end point fact which is a fact representing possibility of an attack in the device that is an end point, analyzing, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generating an attack scenario which is information that represents a transition relationship of a combination of the device, an attack state, and privileges that can correspond to the attack state according to the start point fact and the end point fact, in a case where it is possible to derive the end point fact from the start point fact.
 19. (canceled) 